Last night, Microsoft disclosed more than 25 critical memory allocation vulnerabilities in OT and IoT devices that could enable an attacker to bypass security controls and execute malicious code or cause a system to crash in industrial, medical, and enterprise networks.
<p>The biggest challenge faced by organisations today is simply not knowing what needs to be secured. Outside of the standard corporate IT environment typified by “Windows”, every organisation we talk to simply doesn’t know what devices they have, where they are, or what they do.</p> <p> </p> <p>So when disclosures like this happen, most organisations would not have a clue what RTOS their OT, Medical or IoT devices are running. I suspect the NHS may issue a cyber alert for this; however, it would only be informational. The NHS trusts we see all struggle to get to grips with DSPT requirements and all have high levels of uncertainty about the number, variety, location, and risk posed from their digital estate. In addition to this, sophisticated actors will attempt to use exploit chaining to circumvent the prescribed mitigations, as the recently disclosed FRAG/44 provides an attacker with the ability to bypass firewall rule-sets, breaking the segmentation and isolation recommendations for BadAlloc.</p>
<p>Vulnerabilities such as the BadAlloc flaws underscore the need for critical infrastructure and manufacturing organizations to have continuous visibility into the devices used in their production environments. It is no longer sufficient to evaluate your risk \’with a clipboard\’ on a periodic basis. When the CISO comes to ask if your organization is exposed to these latest vulnerabilities, you should have the answer immediately. Not being able to answer that question gives attackers the upper hand.</p> <p><br />Since these vulnerabilities are in the Real-Time Operating Systems that are the foundation of many OT and IoT devices, the end-user may not actually know that they rely on these products. Hopefully, the OT OEM vendor community will evaluate these vulnerabilities and determine if they are a risk in their products. We always advise owners of OT to work with their vendors on how to appropriately mitigate vulnerabilities in critical devices. This case is no different.</p>
<p>The biggest challenge faced by organisations today is simply not knowing what needs to be secured. Outside of the standard corporate IT environment typified by “Windows”, every organisation we talk to simply doesn’t know what devices they have, where they are, or what they do.</p> <p> </p> <p>So when disclosures like this happen, most organisations would not have a clue what RTOS their OT, Medical or IoT devices are running. I suspect the NHS may issue a cyber alert for this; however, it would only be informational. The NHS trusts we see all struggle to get to grips with DSPT requirements and all have high levels of uncertainty about the number, variety, location, and risk posed from their digital estate. In addition to this, sophisticated actors will attempt to use exploit chaining to circumvent the prescribed mitigations, as the recently disclosed FRAG/44 provides an attacker with the ability to bypass firewall rule-sets, breaking the segmentation and isolation recommendations for BadAlloc.</p>
<p>Vulnerabilities such as the BadAlloc flaws underscore the need for critical infrastructure and manufacturing organizations to have continuous visibility into the devices used in their production environments. It is no longer sufficient to evaluate your risk \’with a clipboard\’ on a periodic basis. When the CISO comes to ask if your organization is exposed to these latest vulnerabilities, you should have the answer immediately. Not being able to answer that question gives attackers the upper hand.</p> <p><br />Since these vulnerabilities are in the Real-Time Operating Systems that are the foundation of many OT and IoT devices, the end-user may not actually know that they rely on these products. Hopefully, the OT OEM vendor community will evaluate these vulnerabilities and determine if they are a risk in their products. We always advise owners of OT to work with their vendors on how to appropriately mitigate vulnerabilities in critical devices. This case is no different.</p>